[one-users] user management

Shi Jin jinzishuai at gmail.com
Wed Oct 21 07:10:58 PDT 2009


Hi Tino,

Thank you very much.

I agree with you that if the one_auth file is stolen, it gives out the
same permission either hashed or not.
However, the hashed password makes it a lot harder for somebody to
remember the password with a quick glimpse of the file.
Also, people tend to use the same password for many things. If the
plain text one_auth is stolen, it can cause damage a lot bigger than
just in OpenNebula.

If one_auth is only used once to store the oneadmin password. Would it
be better the system asks for this password on the command line when
it is first started. Of course I could manually delete the one_auth
file after the startup. By this way it seems to be more elegant.

I agree that SSL encryption is more important than hashing the access key.

Shi

On Wed, Oct 21, 2009 at 7:42 AM, Tino Vazquez <tinova at fdi.ucm.es> wrote:
> Hi Shi Jin,
>
> Storing the password in a hash in the one_auth file wouldn't help a
> lot since if the file is stolen it can be used in the very same way.
> This file protection is based on unix file permissions. This file for
> the 'oned' process is just needed the first time it runs because it
> sets the 'oneadmin' password, but after the first run it can be
> erased.
>
> About having the access key hashed in the EC2 service, it is not in
> our short term roadmap. What it is, though, is documentation
> explaining how to set up the EC2 service using SSL, so the
> communication were the secret and access key are passed will be
> encrypted.
>
> Hope this helps,
>
> -Tino
>
> --
> Constantino Vázquez, Grid Technology Engineer/Researcher:
> http://www.dsa-research.org/tinova
> DSA Research Group: http://dsa-research.org
> Globus GridWay Metascheduler: http://www.GridWay.org
> OpenNebula Virtual Infrastructure Engine: http://www.OpenNebula.org
>
>
>
> On Wed, Oct 21, 2009 at 1:18 AM, Shi Jin <jinzishuai at gmail.com> wrote:
>> Hi there,
>>
>> I have a couple of questions regarding user management in OpenNebula.
>> 1. I just updated the subversion code and found out the ONE_AUTH has
>> already been used to point to a file to maintain the
>> <username>:<password> combo, which I think is better than an
>> environment variable. However, the plain text password is still
>> stored. I am wondering whether it is better to actually store the
>> hashed password instead, just like  what's stored in the database and
>> what "oneuser list" gives. Also, if we only want to start the
>> OpenNebula service on a machine, not to run any command, do we really
>> need to setup this environment variable? I tried without in "one
>> start". I got an error message about it but the service seems to be
>> running already.
>>
>> 2. In AWS EC2, both the access key and the secret key  are hashed. I
>> tried to use the econe API and found out only the secret key is hashed
>> while the access key is still the plain text username. For security
>> considerations, I think hashing both keys like EC2 is a better
>> solution and I don't think it is that technically more challenge. Am I
>> right about this?
>>
>> I would love to learn whether the above issues are within OpenNebula
>> roadmap. Thank you very much.
>>
>>
>> --
>> Shi Jin, Ph.D.
>> _______________________________________________
>> Users mailing list
>> Users at lists.opennebula.org
>> http://lists.opennebula.org/listinfo.cgi/users-opennebula.org
>>
>



-- 
Shi Jin, Ph.D.



More information about the Users mailing list